pwnalbe.kr –collision

image-20220207125723369

由题可知和MD5哈希算法有关。

1.连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(root💀kali)-[/home/kali/桌面]
└─# ssh col@pwnable.kr -p2222                                                                     130 ⨯
col@pwnable.kr's password: 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

 ____  __    __  ____    ____  ____   _        ___      __  _  ____  
|    \|  |__|  ||    \  /    ||    \ | |      /  _]    |  |/ ]|    \ 
|  o  )  |  |  ||  _  ||  o  ||  o  )| |     /  [_     |  ' / |  D  )
|   _/|  |  |  ||  |  ||     ||     || |___ |    _]    |    \ |    / 
|  |  |  `  '  ||  |  ||  _  ||  O  ||     ||   [_  __ |     \|    \ 
|  |   \      / |  |  ||  |  ||     ||     ||     ||  ||  .  ||  .  \
|__|    \_/\_/  |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|
                                                                     
- Site admin : daehee87@gatech.edu
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
You have mail.
Last login: Sun Feb  6 23:54:49 2022 from 14.108.156.37
col@pwnable:~$ ls -al
total 36
drwxr-x---   5 root    col     4096 Oct 23  2016 .
drwxr-xr-x 116 root    root    4096 Nov 11 14:52 ..
d---------   2 root    root    4096 Jun 12  2014 .bash_history
-r-sr-x---   1 col_pwn col     7341 Jun 11  2014 col
-rw-r--r--   1 root    root     555 Jun 12  2014 col.c
-r--r-----   1 col_pwn col_pwn   52 Jun 11  2014 flag
dr-xr-xr-x   2 root    root    4096 Aug 20  2014 .irssi
drwxr-xr-x   2 root    root    4096 Oct 23  2016 .pwntools-cache

接下来有两种方法

  1. 直接在连接的ssh打开col.c文件。

    1
    col@pwnable:~$ cat col.c

  2. 通过scp指令下载文件到虚拟机。

    1
    2
    ┌──(root💀kali)-[/home/kali/桌面]
    └─# scp -P2222 col@pwnable.kr:col.c .

两种方法都可以用,scp指令以后可能会用到。

2. 分析文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
        int* ip = (int*)p;
        int i;
        int res=0;
        for(i=0; i<5; i++){
                res += ip[i];
        }
        return res;
}

int main(int argc, char* argv[]){
        if(argc<2){
                printf("usage : %s [passcode]\n", argv[0]);
                return 0;
        }
        if(strlen(argv[1]) != 20){
                printf("passcode length should be 20 bytes\n");
                return 0;
        }

        if(hashcode == check_password( argv[1] )){
                system("/bin/cat flag");
                return 0;
        }
        else
                printf("wrong passcode.\n");
        return 0;
}

由源文件可以知道该文件是将接受命令行参数并将其转换为整数形式。

1
2
3
if(strlen(argv[1]) != 20){
               printf("passcode length should be 20 bytes\n");
               return 0;

且限定命令行参数为20个字符。

1
2
3
4
5
6
7
8
9
10
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
        int* ip = (int*)p;
        int i;
        int res=0;
        for(i=0; i<5; i++){
                res += ip[i];
        }
        return res;
}

通过分析check_password函数可知,将20字节的命令行参数转换为五个4字节的整数后。再相加为hashcode即可。

3. 解题

vim编写python脚本

1
2
3
4
5
6
from pwn import * #导入pwntools模块
str3 = p32(0x01010101)*4 + p32(0x1DD905E8)  #构造payload    
s = ssh(host='pwnable.kr', port=2222, user='col', password='guest')#ssh连接主机
s.connected()
cn = s.process(argv=['col', str3], executable='./col')
print cn.recv()

代码中的p32是将括号里的字符转换为32位小端字节序的格式,32位格式下为4bit,同样的,还有p16,p64这样的函数,p32 转换4bit. p64 和 p16 则分别转换 8 bit 和 2 bit 数字。

process是开启一个进程

将hashcode拆解为4个0x01010101和一个0x1DD905E8.

再接受返回的flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root💀kali)-[/home/kali/桌面]
└─# python col.py                                                                                   1 ⨯
/usr/local/lib/python2.7/dist-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends import default_backend
[+] Connecting to pwnable.kr on port 2222: Done
[*] col@pwnable.kr:
    Distro    Ubuntu 16.04
    OS:       linux
    Arch:     amd64
    Version:  4.4.179
    ASLR:     Enabled
[+] Starting remote process bytearray(b'./col') on pwnable.kr: pid 325538
daddy! I just managed to create a hash collision :)